Methods and systems for associating an embedded security chip with a computer

ABSTRACT

In at least some embodiments, a method comprises initializing an embedded security chip for use with a computer and performing a binding operation between the embedded security chip and the computer. The method further comprises, during each subsequent boot of the computer, validating the binding operation before the embedded security chip performs a cryptographic function.

BACKGROUND

Computers and computer networks have provided individuals andenterprises with numerous capabilities and conveniences. For example,electronic data transmissions between individuals and/or enterprises arepart of the daily operations of many businesses and organizations. Manysecurity techniques such as passwords, cryptography, digitalcertificates and “firewalls” are used to protect data stored oncomputers and computer networks. Unfortunately, software-only securitytechniques have been vulnerable to the malicious efforts of hackers.

To improve the security of data stored on computers and computernetworks, hardware-based security techniques have been formulated. Onehardware-based security technique implements an embedded security chip(e.g., a Trusted Platform Module (TPM)) that stores secrets such asencryption keys and/or hash values and performs internal cryptographicoperations using these secrets. Thus, the secrets are not availableoutside the embedded security chip.

To guard against physically tampering with an embedded security chip andretrieving the protected secrets, each embedded security chip needs tobe “bound” to a single computer. For example, efforts to bind anembedded security chip to a single computer have included using tamperresistant tape to visually detect tampering, soldering the embeddedsecurity chip to a computer unit's processor board (e.g., motherboard)or using a chassis lock. Unfortunately, these efforts do not guaranteethat an embedded security chip will not be physically tampered with. Inother words, a malicious hacker may still be able to physically accessthe computer, remove the embedded security chip and retrieve thesecrets. The secrets may be used to access sensitive data.

BRIEF DESCRIPTION OF THE DRAWINGS

For a detailed description of exemplary embodiments of the invention,reference will now be made to the accompanying drawings in which:

FIG. 1 shows a system in accordance with embodiments of the invention;

FIG. 2 shows a diagram that illustrates a validation process inaccordance with embodiments of the invention;

FIG. 3 shows another diagram that illustrates a validation process inaccordance with embodiments of the invention;

FIG. 4 shows a method in accordance with embodiments of the invention;and

FIG. 5 shows another method in accordance with alternative embodimentsof the invention.

NOTATION AND NOMENCLATURE

Certain terms are used throughout the following description and claimsto refer to particular system components. As one skilled in the art willappreciate, computer companies may refer to a component by differentnames. This document does not intend to distinguish between componentsthat differ in name but not function. In the following discussion and inthe claims, the terms “including” and “comprising” are used in anopen-ended fashion, and thus should be interpreted to mean “including,but not limited to . . . .” Also, the term “couple” or “couples” isintended to mean either an indirect, direct, optical or wirelesselectrical connection. Thus, if a first device couples to a seconddevice, that connection may be through a direct electrical connection,through an indirect electrical connection via other devices andconnections, through an optical electrical connection, or through awireless electrical connection.

DETAILED DESCRIPTION

The following discussion is directed to various embodiments of theinvention. Although one or more of these embodiments may be preferred,the embodiments disclosed should not be interpreted, or otherwise used,as limiting the scope of the disclosure, including the claims. Inaddition, one skilled in the art will understand that the followingdescription has broad application, and the discussion of any embodimentis meant only to be exemplary of that embodiment, and not intended tointimate that the scope of the disclosure, including the claims, islimited to that embodiment.

Embodiments of the invention are directed to systems and methods thatprotect secrets stored by an embedded security chip such as a TrustedPlatform Module (TPM) even if the embedded security chip is disconnectedfrom its computer platform or is otherwise tampered with. In at leastsome embodiments, if an embedded security chip is successfullyinitialized for use with a computer, a data-structure that identifiesthe unique relationship between the embedded security chip and thecomputer is generated. During each subsequent boot of the computer, averification process is performed to validate the identities of thecomputer and the embedded security chip based on the data-structure. Insome embodiments, the verification process involves a cryptographicbinding between the embedded security chip and the platform. If theidentities of both the embedded security chip and the platform arevalidated, the embedded security chip is operable to performcryptographic functions such as encrypting/decrypting data for theplatform. If the identity of either the embedded security chip or theplatform is not validated, one or more actions are performed to preventunauthorized access and/or use of the secrets stored by the embeddedsecurity chip.

FIG. 1 shows a computer system 100 in accordance with embodiments of theinvention. As shown in FIG. 1, the computer system 100 comprises amotherboard 102 configured to have various electronic componentsattached thereto. In at least some embodiments, the system 100 comprisesa processor 104 that couples to a Basic Input/Output System (BIOS) 106and a system memory 115. The BIOS 106 may be associated with a BIOSchip. The processor 104 also couples to a mount 122 of the motherboard102, which enables a Trusted Platform Module (TPM) 114 to be detachablyor fixedly connected to the motherboard 102.

As shown, the TPM 114 comprises a memory 116 that stores platformvalidation instructions 118. The TPM 114 also comprises cryptographiclogic 120 that is configured to provide cryptographic functions such asasymmetric key functions, secure storage of hash values, endorsement key(EK) functions, initialization functions, and management functions.

As shown, the BIOS 106 comprises TPM validation instructions 110 anderror response instructions 112. The BIOS 106 also comprises other BIOSroutines 113 that enable other known or future BIOS processes to beperformed. In some embodiments, the BIOS instructions (e.g., the TPMvalidation 110, the error response instructions 112, or the other BIOSroutines 113) are decompressed at run time and stored into the systemmemory 109. When executed, the TPM validation instructions 110 areconfigured to cause at least one of two processes to occur. The TPMvalidation instructions 110 may function in conjunction with theplatform validation instructions 118 to provide a combined TPM/platformvalidation that is dependent on functions provided by both the TPM 114and the BIOS 106. Both of the processes are configured to ensure thatthe TPM 114 is the TPM with which the computer 100 is originallyinitialized and also that the computer 100 is the computer with whichthe TPM 114 is initialized.

In the first process, the TPM 114 is instructed to generate adata-structure (i.e., a secret) that is unique. If initialization of theTPM 114 by the computer 100 is successful, the secret is stored in theTPM 114 and in a non-volatile memory 108 coupled to or internal to theBIOS 106. In at least some embodiments, the non-volatile memory 108 isonly accessible to the BIOS 106 and is lockable upon exiting a power-onself test (POST) or before the computer 100 finishes booting. Forexample, the non-volatile memory 108 may be lockable using apassword-controlled procedure. The secret stored by the non-volatilememory 108 is unique in both time and space (i.e., the secret is arandom number that should not ever be repeatable or computable). Thesecret may be, for example, a pass phrase, a password, a UniversallyUnique Identifier (UUID) or any other secret. In some embodiments, thesecret is obtained using a challenge/response protocol similar tooperating system (OS) login schemes. For example, a protocol such as aZero Knowledge Proof (ZKP) may be implemented. In embodiments thatimplement ZKP, the non-volatile memory 108 does not need to store thesecret.

In at least some embodiments, the secret may be obfuscated using the TPM114. For example, the TPM 114 (or some other entity) may generate arandom number (e.g., a binary large object or “BLOB”) as the secret. Thesecret is then associated uniquely with the TPM 114 via a TPM “BIND” or“SEAL” command. In some embodiments, the bound/sealed secret and/or ahash of the secret is stored within the non-volatile memory 108associated with the BIOS 106. The hash is generated by a security hashalgorithm such as “SHA-1” or “SHA-256.”

Upon subsequent boot of the computer 100, the BIOS chip 106 unseals thesecret. The unsealed secret is re-hashed using the same security hashingalgorithms described above. This re-hashed value is then compared to thehashed value previously stored in the non-volatile memory 108. If thehashes match, then the identify of the TPM 114 is verified since onlythe TPM 114 could have unsealed the correct value (per the properties ofa TPM as defined by the Trusted Computing Group).

In at least some embodiments, new TPM initialization commands or bindingcommands are implemented such that the TPM 114 will not initializeitself unless proper authentication credentials (e.g., validation of thesecret) are provided by the computer 100 to the TPM 114. For example,the new TPM commands could be implemented as a derivative of someexisting TPM commands like “TPM Init” and enable the BIOS 106 to pass inthe hashed value of the unsealed secret (or some other uniqueplatform-specific secret) to the TPM 114. The TPM 114 can then verify ifthe passed in secret matches the secret previously stored in the memory116. If the secrets match, the TPM 114 returns a success notification tothe BIOS 106 and continues to behave normally, enabling the computer 100to boot. During the computer's normal boot process, the TPM 114 may usethe secret as part of the TPM initialization process performed by theBIOS 106. For example, in some embodiments, the secret is used as asymmetric encryption key that increases the security of achallenge/response protocol between the BIOS 106 and the TPM 114.

If the value of the passed in secret does not match the value previouslystored in the memory 116 (or if a secret is not provided), the TPM 114is configurable to refuse initialization and/or to clear all protectedsecrets (i.e., return to a TPM factory reset state) based on policiesthat are controlled by the TPM owner or an authorized user. The TPM 114also may return an error notification to the BIOS. In at least someembodiments, the BIOS is able to track startup sequences in which theTPM/platform validation failed.

In response to an error notification, the error response instructions112 stored by the BIOS chip 106 are executed. The error responseinstructions 112 are configured to cause at least one action such ashalting the computer's boot process, notifying a user or systemadministrator, booting with the TPM 114 disabled or clearing all thesecrets protected by the TPM 114. The actions performed by the BIOS 106in response to an error notification may be in addition to any actionsautomatically performed by the TPM 114. Also, all error notifications tothe BIOS and subsequent responses may be logged for future auditing.

In at least some embodiments, the TPM 114 is configured to perform someoperations for the computer 100 without being “owned” by the computer100. For example, there may be cases where a portion of the TPM 114performs non-critical operations. In such a case, the TPM 114 is allowedto initialize after a TPM/platform validation failure. However, nocritical TPM operation (i.e., no operation involving the secretsprotected by the TPM) is allowed.

As previously mentioned, the TPM validation instructions 110 may cause asecond process to be performed. In the second process, a measurementthat is unique to the computer 100 is dynamically generated by the BIOSevery time the computer 100 is powered on from a low-power state (i.e.,at each resume from a S4/S5 state). The unique measurement is based on aplurality of configuration parameters for the computer 100. For example,these configuration parameters could include, but are not limited to,some combinations of the platform's unique identifier (UUID), a serialnumber, asset tags, a hard drive identifier (ID), a list of peripheralcomponent interconnect (PCI) devices present in the computer 100, andTPM Platform Configuration Register (PCR) values. Thus, if any of thecomputer configurations included in the measurement changes, the finalmeasurement will change. If none of the computer configurations includedin the measurement change, the final measurement remains the same. In atleast some embodiments, the computer's manufacturer dictates thecomputer-specific configuration parameters that are included in themeasurement with the condition that the measurement is unique to thecomputer 100.

During the first boot of the computer 100 (or during auser/administrator designated registration boot cycle), the BIOSgenerates the unique measurement of the computer 100. The uniquemeasurement is passed as a parameter to the TPM 114 using a command fromthe BIOS to the TPM 114. In at least some embodiments, the standard TPMinitialization commands and/or startup commands are extended to enablethe TPM 114 to receive the unique measurement as a parameter.

If an Endorsement Key (EK) has been established with the TPM 114 (i.e.,if ownership of the TPM 114 has been established), the TPM 114 securelystores the measurement. If an EK has not been established with the TPM114, then the TPM 114 ignores (or otherwise discounts) the measurementreceived from the BIOS. After the measurement is stored in the TPM 114,the TPM 114 does not allow any changes to the stored measurement unlessthe EK has been changed (i.e., commands such as TPM_OwnerClear orTPM_ForceClear should not affect the stored measurement).

Upon every subsequent boot after the initial measurement is stored, theBIOS will again measure the unique platform configurations, generate ameasurement and send the new measurement to the TPM 114 (e.g., using anextended TPM initialization command “TPM_INIT” or extended TPM startupcommand “TPM_STARTUP”). If the incoming measurement does not match thestored measurement, the TPM 114 is configurable to cease receiving (orperforming) commands from the BIOS or the TPM software stack (TSS).Additionally or alternatively, the TPM 114 may clear its internal stateto remove all protected secrets.

In at least some embodiments, the TPM 114 also sends an errornotification to the BIOS to indicate a validation failure (i.e., themeasurement that identifies the current system does not match the storedmeasurement that identifies the TPM's owner). In response to receivingthe error notification, the BIOS causes the error response instructions112 to be executed. As previously described, the error responseinstructions 112 are configured to cause at least one action such ashalting the computer's boot process, notifying a user or systemadministrator, booting with the TPM 114 disabled or clearing all thesecrets protected by the TPM 114. Also, all error notifications to theBIOS and subsequent responses may be logged for future auditing. In atleast some embodiments, the TPM owner or an authorized user is able toselectively control which error responses are used.

In contrast to the first process previously described, the secondprocess does not use the non-volatile memory 108 to store the sealedand/or hashed secret. Thus, in embodiments that implement the secondprocess, the non-volatile memory 108 may be eliminated to lower cost.

By implementing either the first process, the second process or acombination of the processes previously described, it is possible todetect whether an embedded security chip such as a TPM has beenphysically tampered with (e.g., by removing the embedded security chipfrom one computer for use in another computer). In at least someembodiments, the embedded security chip is pluggable rather thansoldered to a motherboard. In such embodiments, a computer manufactureris able to implement a single motherboard that is capable of supportingan embedded security chip regardless of whether consumers purchase anembedded security chip (i.e., the motherboard 102 comprises acorresponding mount 122 regardless of whether an embedded security chipis installed or not). If a consumer decides to purchase an embeddedsecurity chip after the initial computer purchase, a pluggable embeddedsecurity chip may be installed by the consumer, a vendor or themanufacturer with relative ease (compared to soldering). Although someembodiments implement pluggable embedded security chips as describedabove, alternative embodiments implement embedded security chips thatare soldered to the motherboard 102. In such embodiments, solderingincreases the difficulty of removing the embedded security chip from itsintended platform.

FIG. 2 shows a diagram 200 that illustrates a validation process inaccordance with embodiments of the invention. As shown, a first computer202A comprises an initialized TPM 214A (i.e., the TPM 214A has beeninitialized to protect secrets such as cryptographic keys exclusivelyfor the first computer 202A) that couples to a BIOS memory 206A via aprocessor 204A. The processor 204A is configured to process instructionsand data received from the BIOS memory 206A and to enable communicationbetween the initialized TPM 214A and the BIOS memory 206A. Inembodiments that implement the first process described above, theinitialization process causes the BIOS memory 206A to store a sealedsecret as well as a hashing of the secret generated by the initializedTPM 214A. Alternatively, in embodiments that implement the secondprocess described above, the initialization process causes theinitialized TPM 214A to store a unique measurement received from theBIOS of the first computer 202A. The unique measurement is based on thefirst computer's unique configuration parameters. During every boot ofthe first computer 202A, either of the first or second processespreviously described is implemented to validate the TPM/platform.

As shown in FIG. 2, removal of the initialized TPM 214A from theoriginal platform (the first computer 202A) may occur. For example, ifthe initialized TPM 214A is pluggable, a hacker may simply access andunplug the initialized TPM 214A. Alternatively, if the initialized TPM214A is soldered, a hacker may access and carefully remove theinitialized TPM 214A.

As shown in FIG. 2, installation of the initialized TPM 214A into adifferent platform may occur (e.g., by soldering or plugging theinitialized TPM 214A into a corresponding socket or mount). However,when the second computer 202B boots with the initialized TPM 214A, theTPM/platform validation fails. For example, if the first validationprocess described above is implemented, the TPM/platform validationfails because the BIOS memory 206B of the second computer 202B does nothave the secret to be sent to the TPM 214A for validation. If the secondvalidation process described above is implemented, the TPM/platformvalidation fails because the unique measurement needed for validationcannot be provided by the second computer's BIOS to the initialized TPM214A (or the measurement provided does not match the measurement storedin the initialized TPM 214A). If both validation processes areimplemented, the TPM/platform validation fails because one (or both) ofthe secret and the unique measurement are not validated. After avalidation failure, at least one error response occurs such as haltingthe boot process, notifying a user or system administrator, booting withthe initialized TPM 214A disabled or clearing all the secrets protectedby the initialized TPM 214A. Again, the error responses are selectableby a TPM owner or an authorized user based on preferences.

FIG. 3 shows another diagram 300 that illustrates a validation processin accordance with embodiments of the invention. As previously describedfor FIG. 2, the first computer 202A comprises an initialized TPM 214Athat couples to a BIOS memory 206A via a processor 204A. Again, theprocessor 204A enables communication between the initialized TPM 214Aand the BIOS memory 206A as well as processing of instructions and data.During the initialization process of the TPM, either the BIOS memory206A receives and stores a sealed secret and a hashing of the secretreceived from the initialized TPM 214A or the initialized TPM 214Areceives and stores a measurement that is unique to the first computer202A.

As shown, removal of the initialized TPM 214A from the first computer202A and replacement of the initialized TPM 214A with a different TPM214B may occur. The different TPM 214B may be new, previouslyinitialized on another platform, or previously reset to a factory state.The removal and installation may involve pluggable TPMs or solderedTPMs. When the first computer 202A boots with the different TPM 214B,the TPM/platform validation fails. For example, if the first validationprocess described above is implemented, the TPM/platform validationfails because the different TPM 214B is unable to unseal the sealedsecret and/or does not provide a correct hashing of the secret forcomparison with the hashed secret stored in the BIOS memory 206A. If thesecond validation process described above is implemented, theTPM/platform validation fails because the different TPM 214B does notstore the unique measurement that is needed for validation. As a result,an error response occurs such as halting the boot process, notifying auser or system administrator, booting with the different TPM 214Bdisabled or clearing any secrets protected by the different TPM 214B.

FIG. 4 shows a method 400 in accordance with embodiments of theinvention. As shown in FIG. 4, the method 400 comprises initializing anembedded security chip with a computer platform (block 402). During theinitialization, a sealed secret and a hashing of the secret is stored ina secure BIOS memory (block 404). In at least some embodiments, thesecret is sealed and the hashing of the secret is performed by theembedded security chip. Upon subsequent boot, the sealed secret isvalidated (block 406). For example, in cases where the secret is sealedby the embedded security chip, the sealed secret is validated byunsealing the sealed secret using the embedded security chip andre-hashing the unsealed secret for comparison with the hashed secretstored in the BIOS memory. If the hashed values match, the secret isvalidated.

If the sealed secret is validated (determination block 408), criticalembedded security chip functions are enabled (block 410). For example,critical embedded security chip functions such as encryption/decryptionof data using cryptographic keys may be enabled. If the sealed secret isnot validated (determination block 408), an error response is provided(block 412). For example, error responses such as halting a bootprocess, notifying a user or system administrator, booting with theembedded security chip disabled or clearing any secrets (e.g.,cryptographic keys) protected by the embedded security chip may beprovided.

FIG. 5 shows another method 500 in accordance with alternativeembodiments of the invention. As shown in FIG. 5, the method 500comprises initializing an embedded security chip with a computerplatform (block 502). During the initialization, a unique platformmeasurement is stored in the embedded security chip (block 504). In atleast some embodiments, the unique platform measurement is generated bythe BIOS based on a set of configuration parameters specific to acomputer platform. For example, configuration parameters such ascombinations of the platform's unique identifier (UUID), a serialnumber, asset tags, a hard drive identifier (ID), a list of peripheralcomponent interconnect (PCI) devices present in the computer 100, andTPM Platform Configuration Register (PCR) values may be used. Uponsubsequent boot, the unique platform measurement is validated (block506). The unique platform measurement may be validated by comparing themeasurement stored in the embedded security chip during initializationof the embedded security chip with the measurement generated by the BIOSduring each subsequent boot of a computer platform.

If the unique measurement is validated (determination block 508),critical embedded security chip functions are enabled (block 510).Again, critical embedded security chip functions such asencryption/decryption of data using cryptographic keys may be enabled.If the sealed secret is not validated (determination block 508), anerror response is provided (block 512). Again, error responses such ashalting a boot process, notifying a user or system administrator,booting with the embedded security chip disabled or clearing any secrets(e.g., cryptographic keys) protected by the embedded security chip maybe provided. In at least some embodiments, the error responses areselectable and adjustable by the TPM owner or an authorized user.

1. A method, comprising: initializing an embedded security chip for usewith a computer; performing a binding operation between the embeddedsecurity chip and the computer; and during each subsequent boot of thecomputer, validating the binding operation before the embedded securitychip performs a cryptographic function.
 2. The method of claim 1 whereinperforming a binding operation comprises storing a secret in a securememory of the computer, the secret having been sealed by the embeddedsecurity chip.
 3. The method of claim 1 wherein performing a bindingoperation comprises storing a hashing of a secret in a secure memory. 4.The method of claim 3 wherein validating the binding operation comprisesre-hashing the secret using the embedded security chip and comparing there-hashing of the secret with the hashing of the secret stored in thesecure memory.
 5. The method of claim 1 wherein performing a bindingoperation comprises storing a measurement based on unique configurationparameters of the computer in the embedded security chip.
 6. The methodof claim 5 wherein validating the binding operation comprises comparinga current measurement based on unique configuration parameters of acomputer with the measurement stored in the embedded security chip.
 7. Acomputer system, comprising: an embedded security chip coupled to theprocessor, the embedded security chip is configured to perform acryptographic function; a memory coupled to the embedded security chip,the memory stores validation instructions that, when executed, preventuse of the cryptographic function unless the embedded security chip isvalidated as having been previously initialized for use with thecomputer system.
 8. The computer system of claim 7 wherein the embeddedsecurity chip is initialized for use with the computer system based on abinding operation that comprises transferring secret data from theembedded security chip to the computer system.
 9. The computer system ofclaim 8 wherein the secret data is sealed by the embedded security chip.10. The computer system of claim 8 wherein the binding operation furthercomprises storing a hashing of the secret data, the hashing of thesecret data being performed by the embedded security chip.
 11. Thecomputer system of claim 7 wherein the embedded security chip isinitialized for use with the computer system based on a bindingoperation that comprises the embedded security chip receiving ameasurement from the computer system, the measurement being based onunique configuration parameters of the computer system.
 12. The computersystem of claim 7 wherein the memory stores error response instructionsthat, when executed, cause an action in response to a failure tovalidate, the action being selected from a group of actions consistingof halting a boot process, notifying an owner of the embedded securitychip, booting with the embedded security chip disabled, and clearing allsecrets stored by the embedded security chip.
 13. The computer system ofclaim 7 further comprising a motherboard, wherein the embedded securitychip is detachably connected to the motherboard.
 14. The computer systemof claim 7 further comprising a motherboard, wherein the embeddedsecurity chip is soldered to the motherboard.
 15. The computer system ofclaim 7 wherein the embedded security chip comprises a Trusted PlatformModule (TPM) and the memory comprises a BIOS memory.
 16. The computersystem of claim 7 wherein the embedded security chip is initialized foruse with the computer system based on an extended Trusted PlatformModule (TPM) initialization command that enables the computer system topass in a secret to a TPM.
 17. A storage medium having computer-readableinstructions that, when executed, cause a computer to: initialize anembedded security chip for use with the computer; generate a secret thatuniquely associates the embedded security chip with the computer; andduring each subsequent boot of the computer, verify the identities ofthe embedded security chip and the computer based on the secret.
 18. Thestorage medium of claim 17 wherein the computer-readable instructions,when executed, further cause the computer to perform at least one actionin response to a failure to verify the identities of the embeddedsecurity chip and the computer, the at least one action selected from agroup of actions consisting of halting a boot process, notifying anowner of the embedded security chip, booting with the embedded securitychip disabled, and clearing all secrets stored by the embedded securitychip.
 19. The storage medium of claim 17 wherein the computer-readableinstructions, when executed, further cause the computer to store thesecret in a secure BIOS memory of the computer.
 20. The storage mediumof claim 17 wherein the computer-readable instructions, when executed,further cause the computer to store the secret in the embedded securitychip.
 21. A computer system, comprising: means for generating adata-structure that uniquely identifies an existing relationship betweenan embedded security chip and a computer; and means for preventingaccess to secrets stored by the embedded security chip until theembedded security chip and the computer are positively identified usingthe data-structure.
 22. The computer system of claim 21 furthercomprising means for securely storing the data-structure in the embeddedsecurity chip during an initialization of the embedded security chip.23. The computer system of claim 21 further comprising means forsecurely storing the data-structure in a BIOS memory during a bootprocess of the computer system.